Mainly just utilizing this to learn, working on de...
# fleet
Mainly just utilizing this to learn, working on deploying a home lab much like CptOfEvilMinions with Ansible. I am actually trying to include the Polylogx via an extension and using overrides to manage the flag files. Which when i query the flags it has everything that is required, except it is not generating the pipe as seen down below. Which the default Fleet Flag that is where it is listed, which I believe is C:\Program Files\Orbit\osquery.em . Is this correct? Or is this something that Orbit will not create from the TLS Configs?
Copy code
hi jake, the path to that file depends on the root-dir you specify. If you don't specify it, it defaults as you mention to
C:\Program Files\Orbit\osquery.em
. Orbit does create that directory at the beginning
Thank you. I'm going to keep playing with it to figure why it's not creating.
If I add the parameters for overrides for Extensions to autoload, when I query the flags all the overrides are implace. But Extenstions are Inactive when pulling info, as well as querying the extension. Is this something you cant set from the agent_config options utilizing orbit?
not sure I follow, could you show me what you are running, and what you're expecting would happen?
I apologize. In the Agent_Options in the Org Config you can provide overrides such as various Flag Files. I have added an extensions.load with an extension directory. I have added the below to the Org Config.
Copy code
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
        allow_unsafe: true
        disable_distributed: false
        disable_events: false
        disable_extensions: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        enable_ntfs_event_publisher: true
        enable_powershell_events_publisher: true
        enable_windows_events_publisher: true
        enable_windows_events_subscriber: true
        extensions_autoload: \Program Files\osquery\extensions.load
        extensions_require: trailofbits_osquery_extensions,plgx_win_extension
        logger_kafka_acks: all
        logger_kafka_brokers: <plaintext://>
        logger_kafka_topic: fleettest
        logger_plugin: tls
        logger_tls_endpoint: /api/v1/osquery/log
        logger_tls_period: 10
        ntfs_event_publisher_debug: true
        pack_delimiter: /
        verbose: true
In theory when using orbit it should start those extensions. When I query all the flags, everything is in place as it should based off the options. When using Orbit, it does not launch the extensions. If you use Orbit with Flagfiles, it does not launch it. But if I use osqueryd with the exact same flagfile it launches.
In theory, I would expect it to load the extension much like osqueryd does with the flagfile.
I added verbose just to see if i could see anything or do anything cause I was going thru the flags that Fleet brought back.
Ah, you can't do
as part of the config. It must be part of the flagfile.
So would adding that to the agent options, wouldnt that add it to the flags? Cause I can launch orbit, when I pull the flags its listed as part of the flags.
Sorry if this is a hindrance, i think the platform is awesome. Just trying to find all the stuff I can do with it.
As seen in that picture all those flags were set via the Override. So I thought it would work. if that makes sense.
Awesome thank you very much ill check this out.
We need to add support for a flagfile in Orbit. There was actually an open PR for it I'll try to copy over (
FWIW we do have plans to support configuring osquery startup flags from the Fleet server via Orbit. Not built yet though.
Thank you I will check out both of those. I appreciate the help. Makes sense though, that Orbit starts with base configs instead of pulling the configs then starting. I will stop going down this rabbit hole.